Confidentiality can also be done end to end in SIP using Secure Multipur-
pose Internet Mail Extensions (S/MIME) [9]. Information in a SIP message
body, or selected SIP header fields not required for proxy routing, can be
encrypted using S/MIME and carried in the message body. For example, SDP
information about the media, including a media key (discussed in the section,
“Media Security,” later in this chapter) could be encrypted using S/MIME.
Integrity
Integrityallows the recipient of a SIP request to know that the contents of the
message have not been modified by a third party. Integrity can be ensured by
using a secured hash or by using digital signatures.
Digest authentication provides integrity protection across the method type
and the Request-URI. However, any other SIP header field, including a crit-
ical header field such as Contactdoes not have integrity protection. Digest
does have an option that provides integrity protection across the SIP message
body. This provides integrity protection over the message body between the
UA and the challenging proxy server.
The use of TLS transport provides integrity protection. However, only
Secure SIP, which requires TLS over every hop, provides integrity from end
to end.
An S/MIME signature can also be used, but only if the other UA requires the
presence of the S/MIME body. Otherwise, an attacker could simply modify
the SIP request and remove the S/MIME signature body. S/MIME also
requires the use of certificates. The UA receiving the request needs to be able
to obtain the public key of the sender to verify the signature.
Identity
Identityin SIP means the SIP URI of the user. In receiving a request, a UA can
look at the Fromheader field and use this as the identity of the requestor.
However, how do you know that a value in a Fromheader field is accurate? If
the UAs share a secret, an authentication challenge along the lines discussed in
the earlier section, “Authentication,” would serve to validate the identity.
However, in most cases, users will not have a shared secret with every other
user they may want to establish SIP sessions with.
One way in which identity can be ensured is by policy in an administrative
domain. Let’s say that all UAs within the example.comdomain must register
and authenticate with the example.comproxy server. Each user has a shared
secret with the proxy and must produce it each time. Users do not share secrets
SIP Security 165